fix vault client certificates loaded from envirnoment variables #943
Conversation
BrandonHoffman
force-pushed
the
certificate_fix
branch
from
38a9600 to
24b8e9f
Compare
|
@BrandonHoffman welcome and thanks for submitting this! I've been away traveling but I intend to take a look at the backlog some more after I get back and get caught up on other things, so it might take a little while but I will review this! In the meantime run |
|
@briantist - no worries, just know we were hitting issues with this in my org and figured it would effect others. The fmt/lint issue is fixed. |
BrandonHoffman
force-pushed
the
certificate_fix
branch
from
fc57663 to
01a04e9
Compare
|
also fixed an integration test issue related to integration tests running in python 3.7 which does not support the nested with syntax I initially used. |
There was a problem hiding this comment.
I can't imagine how that original code worked, with the list split into a string like that. @briantist I've reviewed this. The code looks good, and I've validated that what's being passed to the adapter is what requests is expecting.
Rather than change all tests to use the environment, we should add new tests for this use case specifically - mTLS authentication with the certs passed to the client as parameters, and mtls with the certs passed in the environment.
Another issue I have, and this is not aimed at this committer, we are implicitly passing authentication parameters from the adapter to the requests session. While functional and technically not a bug, Its best practice to be implicit with authentication and authorization parameters.
|
The issue with the implicit auth parameters does not need to be fixed in this PR, just pointing out the issue. It should probably be tracked as a security enhancement bug. |
|
Hey @adammike, toggling everything to use the environment variables was actually a mistake...... accidentally checked in the global toggle to true that I used locally just to validate everything was working with this flow. I actually only intended for this one subclass to be the test case for using the environment variables since it seemed like it would be enough to validate this flow. |
|
Looks good to me! |
Codecov Report
@@ Coverage Diff @@
## develop #943 +/- ##
===========================================
+ Coverage 83.60% 83.67% +0.06%
===========================================
Files 65 65
Lines 3007 3007
===========================================
+ Hits 2514 2516 +2
+ Misses 493 491 -2
|
There was a problem hiding this comment.
This all looks good! Thanks for this fix @BrandonHoffman .
The only thing I want to consider before merging is whether we're able to release this in a minor version or whether we should wait until a major out of an abundance of caution.
It's technically a breaking change. It should only hit someone who:
- is passing values for these both directly and in environment variables
- is passing the desired values in environment variables
- is passing undesired values directly
While the remedy is clear for such a use case, the change is still unexpected for that user.
In any case we'll get this out as soon as we can!
|
@adammike is there anything else you'd like to review here? Any thoughts on the breaking change consideration I posted above? |
|
@BrandonHoffman @adammike I don't see any reason why merging this shouldn't close the issues above, do you agree? |
|
So, @briantist you’re a lot more familiar with the code base then I am. But here is my 2 cents, from what I have seen any case where the environment variables are set results in a traceback so I don’t believe that anyone using the library as it is now could use the environment variable without having A trace back occur. That leads me to believe it should be safe, but maybe there is some edge case I’m not considering. |
|
I think both those issues should be addressed with this. |
Ah that's right, I forgot that the env code as is wouldn't have worked anyway, so I think you're right, and that we can safely call this a bugfix, thanks again! |
|
Yeah no problem thank you for being so welcoming. |
|
|
||
| from hvac import Client | ||
| from packaging.version import Version |
There was a problem hiding this comment.
packaging is a dep for various packages but should still add it as a dev dep
There was a problem hiding this comment.
good catch! Added in c765e42
briantist
force-pushed
the
certificate_fix
branch
from
54543a4 to
c765e42
Compare
* fix vault client certificates loaded from envirnoment variables * add integration test for configuration via environment variables * fix lint issues * fix python 3.7 compatability issue with tests * remove print + flip default for use_env flag * add packaging to dev dependencies --------- Co-authored-by: Brian Scholer <1260690+briantist@users.noreply.github.com>
…#943) * fix vault client certificates loaded from envirnoment variables * add integration test for configuration via environment variables * fix lint issues * fix python 3.7 compatability issue with tests * remove print + flip default for use_env flag * add packaging to dev dependencies --------- Co-authored-by: Brian Scholer <1260690+briantist@users.noreply.github.com>
It seems like the hvac library does not handle the VAULT_CLIENT_CERT and VAULT_CLIENT_KEY variables properly.
Fixes #938
Fixes #787